Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Nov 1st 2021
Attacker is able to logout a user if a logged in user visits attacker website.
This vulnerability is capable of forging user to unintentional logout.
Tested on Edge, firefox, chrome and safari.
You should use POST instead of GET/ANY.
One way GET/ANY could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a @csrf token.
While this cannot harm a users account it can be a great annoyance and is considered a valid CSRF.